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(54) Advanced postage payment system employing precomputed digital tokens and with enhanced 
security 



(57) A method and system for postage payment 
include the generation of a plurality of dispens- 
able discrete items of encrypted data. Each of 
said items of encrypted data, which may be 
digital tokens (332, 342), has a specific value. 
The generated plurality of discrete items of 
encrypted data are stored on a portable medium 
(104). A prepayment value (346) is also stored 
on the portable medium. The stored plurality of 
discrete items of encrypted which are dispens- 
able is limited based on the prepayment value 
stored on the portable medium. The medium 
may be a device or member having memory 
means (304) for storing a plurality of dispens- 
able tokens. Mean (302) account for digital 
tokens dispensed from the memory means. 

The portable member or device (104) may 
have a housing with a register means within 
said housing. The postage prepayment value is 
stored in the register (346). The plurality of 
discrete items of encrypted data is stored in the 
housing with each of the items of encrypted 
data adapted to be formatted for printing. 
Means within said housing are coupled to the 
plurality of discrete items of encrypted data and 
to said prepayment register for enabling at least 
one selected item of encrypted data to be com- 
municated outside of the housing if the value 
stored in register is at least equal to the specific 
value of the selected item of encrypted data. 
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The present invention relates to advanced post- 
age payment systems and, more particularly, to ad- 
vanced postage payment systems having pre-com- 
puted postage payment information. 

Postage metering systems print and account for 5 
postage and other unit value printing such as parcel 
delivery service charges and tax stamps. These sys- 
tems have been both electronic and mechanical. 
Some of the varied types of postage metering sys- 
tems are shown, for example, in US Patent No. w 
3,978,457 for MICROCOMPUTERIZED ELECTRON- 
IC POSTAGE METER SYSTEM, issued August 31, 
1976; US Patent No. 4,301,507 for ELECTRONIC 
POSTAGE METER HAVING PLURAL COMPUTING 
SYSTEMS, issued November 17, 1981; and, US Pa- 15 
tent No. 4,579,054 for STAND ALONE ELECTRONIC 
MAILING MACHINE, issued April 1, 1986. Moreover, 
other types of metering systems have been devel- 
oped which involve different printing systems such as 
those employing thermal printers, ink jet printers, 20 
mechanical printers and other types of printing tech- 
nologies. Examples of these other types of electronic 
postage meter are described in US Patent No. 
4,168,533 for MICROCOMPUTER MINIATURE 
POSTAGE METER, issued September 1 8, 1 979; and, 25 
US Patent No. 4,493,252 for POSTAGE PRINTING 
APPARATUS HAVING A REMOVABLE PRINT HEAD 
AND A PRINT DRUM, issued January 15, 1985. 
These printing systems enable the postage meter 
system to print variable information which may be al- 30 
phanumeric and graphic type of information. 

Card controlled metering systems have also 
been developed. These systems have employed both 
magnetic strip type cards and microprocessor based 
cards. Examples of card controlled metering systems 35 
employing magnetic type cards include US Patent 
No. 4,222,518 for METERING SYSTEM, issued Sep- 
tember 16, 1980; US Patent No.4,226,360 for ME- 
TERING SYSTEM, issued October 7, 1980; and, US 
Patent No. 4,629,871 for ELECTRONIC POSTAGE 40 
METER SYSTEM SETTABLE BY MEANS OF A RE- 
MOTELY GENERATED INPUT DEVICE, issued De- 
cember/16, 1986. A microprocessor ("smart card") 
based^card metering system providing an automated 
transaction system employing microprocessor bear- " 45 
ing user cards issued to respective users is disclosed 
in US Patent No. 4,900,903 for AUTOMATED TRANS- 
ACTION SYSTEM WITH INSERTABLE CARDS FOR 
TRANSFERRING ACCOUNT DATA, issued February 
13, 1990. Moreover, systems have also been devel- so 
oped wherein a unit having a non-volatile read/write 
memory which may consist of a EEPROM is em- 
ployed. One such system is disclosed in US Patent 
No. 4,757,532 for SECURE TRANSPORT OF IN- 
FORMATION BETWEEN ELECTRONIC STATIONS, 55 
issued July 12, 1988 and US Patent No. 4,907,271 for 
SECURE TRANSMISSION OF INFORMATION BE- 
TWEEN ELECTRONIC STATIONS, issued March 6, 
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1990. 

Postage metering systems have also been devel- 
oped which employ encrypted information printed on 
a mail piece. The postage value for a mail piece may 
be encrypted together with other data to generate a 
digital token. A digital token is encrypted information 
that authenticates the information imprinted on a mail 
piece including postage values. Examples of postage 
metering systems which generate and employ digital 
tokens are described in US Patent No. 4,757,537 for 
SYSTEM FOR DETECTING UNACCOUNTED FOR 
PRINTING IN AVALUE PRINTING SYSTEM, issued 
July 12, 1988; US Patent No. 4.831,555 for SECURE 
POSTAGE APPLYING SYSTEM, issued May 16, 
1 989; US Patent No. 4,775,246 for SYSTEM FOR DE- 
TECTING UNACCOUNTED FOR PRINTING IN A 
VALUE PRINTING SYSTEM, issued October 4, 1988; 
US Patent No. 4,873,645 for SECURE POSTAGE 
DISPENSING SYSTEM, issued October 10, 1989; 
and, US Patent No. 4,725,718 for POSTAGE AND 
MAILING INFORMATION APPLYING SYSTEM, is- 
sued February 16, 1988. 

These systems, which may utilize a device 
termed a postage evidencing device (PED), employ 
an encryption algorithm which is employed to encrypt 
selected information to generate the digital token. The 
encryption of the information provides security to pre- 
vent altering of the printed information in a manner 
such that any change in the postal revenue block is 
detectable by appropriate verification procedures. 

Typical information which may be encrypted as 
part of a digital token includes the value of the imprint, 
the origination zip code, the recipient addressee infor- 
mation (or zip code), the date and a piece count num- 
ber. These items of information when encrypted with 
a secret key and imprinted on a mail piece provide a 
very high level of security which enables the detec- 
tion of any attempted modification of the postal rev- 
enue block, where this information may be imprinted 
both in encrypted and unencrypted form. These dig- 
ital token systems can be utilized with both a dedicat- 
ed printer, that is, a printer that is securely coupled to 
an accounting module such that printing cannot take 
place without accounting or in systems employing 
non-dedicated printers and secure accounting sys- 
tem. In this case, the non-dedicated printer may print 
the digital token as well as have other utility and be 
employed to print other information. 

Digital tokens need to be computed and printed in 
the postal revenue block for each mail piece. The dig- 
ital token transformation (DTT) computation requires 
a secret key, that has to be protected and updated. 
One of the more difficult problems with encrypted evi- 
dence of postage payment is the key management 
problem. Indeed, the use two digital tokens (postal 
and vendor) is described in US Patent No. 5,390,251 
of Jose Pastor, George M. Brookner, Robert A. Cord- 
ery and Hyung-Kun Kim, for MAIL PROCESSING 
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SYSTEM INCLUDING DATA CENTER VERIFICA- 
TION FOR MAILPIECES, issued February 14, 1995, 
and assigned to Pitney Bowes Inc., the entire disclo- 
sure of which is hereby incorporated by reference. In 
such systems, the digital tokens are usually computed 
for every mail piece processed. This computation in- 
volves taking input data such as piece count, date, 
origination postal code and postage amount and en- 
crypting this data with secret keys shared by the post- 
age evidencing device (PED) and postal or courier 
service and by the postage evidencing device and de- 
vice manufacturer or vendor. This sharing requires 
coordination of key updates, key protection and other 
measures commonly referred to as a key manage- 
ment system. The computation of digital tokens takes 
place upon request to generate tokens by a mailer. 
This computation is performed by the postage evi- 
dencing device. Thus, the postage evidencing device 
needs to have all the information required for compu- 
tation, and, most significantly encryption keys. More- 
over, refilling the postage evidencing device with ad- 
ditional postage funds also requires separate keys 
and a management process. In these systems, the 
process of token generation is accomplished with real 
time token computation and tokens can be computed 
for any combination of input parameters allowed by 
the system. 

It has been discovered that a system can be pro- 
vided with a great flexibility and enhanced security 
while enabling a user to employ a system which prints 
digital tokens. 

It has been further discovered that a system can 
be created which provides protection of the encryp- 
tion algorithm and secret keys employed to generate 
digital tokens. r 

Still further, it has been also discovered that is 
possible to implement a postage metering system 
which utilizes digital tokens and greatly limits the po- 
tential compromise of postal funds by unauthorized 
activity. 

The present invention allows for enhanced secur- 
ity such that the security requirements may be modi- 
fied to meet the reduced potential financial exposure 
from unauthorized activity by employing pre-comput- 
ed digital tokens which are stored for subsequent use. 
The pre-computed digital tokens may have the value 
of the token and other data encrypted and thereafter 
stored for later retrieval and use in a portable storage 
medium. The use of pre-computed digital tokens on a 
portable storage medium enables the utilization of the 
digital token technology without the risk of compro- 
mise of the encryption algorithm or the encryption key 
since they are not resident in the portable storage me- 
dium. This eliminates a major disadvantage and bur- 
den of secret key protection and management. 

Utilization of pre-computed digital tokens stored 
in a secure portable storage medium may reduce or 
eliminate the need for physical inspection (either by 
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direct physical access to view and/or test the metering 
device in question or by means of remote inspection 
such as over telephone lines). In many countries, in 
North America in particular, postage evidencing de- 

5 vices, specifically postage meters, cannot be sold. 
They have to be leased by mailers. By regulation, the 
leasing arrangement is required to allow posts and 
manufacturers to perform regular inspection of me- 
ters in order to help prevent and/or detect unautho- 

10 rized tampering. These inspections are done regular- 
ly, usually two times a year, and represent a signifi- 
cant expense to both posts and manufacturers. The 
present invention by limiting the potential risk of loss 
of postal funds, minimizes and if desired, avoids the 

15 need for inspections. This is because tampering with 
the device does not provide any advantage other than 
access to the pre-computed digital tokens stored 
therein. 

The present invention also provides a distinct ad- 

20 vantage over postal stamps for both mailers and 
posts. The postage evidencing device system that 
utilizes pre-computed digital tokens of the present in- 
vention is secure against counterfeiting by employing 
digital tokens produced by encryption, while provid- 

25 ing higher flexibility and convenience to mailers and 
providing the advantages that postage meters pro- 
vide over stamps. 

In accordance with the present invention, a plur- 
ality of dispensable discrete items of encrypted data 

30 are generated, each of the items of encrypted data 
having a specific value. The generated plurality of 
discrete items of encrypted data are stored on a port- 
able medium. A prepayment value is also stored on 
the portable medium. The stored plurality of discrete 

35 items of encrypted data which are dispensable is lim- 
ited based on the prepayment value stored on the 
portable medium. 

In accordance with a feature of the present inven- 
tion, the portable storage device includes memory 

40 means for storing a plurality of dispensable digital tok- 
ens. Each of the plurality of digital tokens have a spe- 
cific value. Means account for digital tokens dis- 
pensed from the memory means. 

In accordance with a not her feature of the present 

45 invention, the portable member or device may have 
a housing means with a register means within the 
housing. A postage prepayment value is stored in the 
register. A plurality of discrete items of encrypted data 
is also stored in the housing. Each of the items of en- 

so crypted data are adapted to be formatted for printing. 
Each of the encrypted items of data have a specific 
value. Means within the housing are coupled to the 
plurality of discrete items of encrypted data and to the 
prepayment register for enabling a selected item of 

55 encrypted data to be communicated outside of the 
housing if the value stored in the register is at least 
equal to the specific value of the selected item of en- 
crypted data. 
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A complete understanding of the present inven- 
tion may be obtained from the following detailed de- 
scription of the preferred embodiment thereof, when 
taken in conjunction with the accompanying draw- 
ings, wherein like reference numerals designate sim- 5 
War elements in the various figures, and in which: 
FIGURE 1 is a block diagram of an advanced 
postage payment system employing pre-comput- 
ed digital tokens and embodying the present in- 
vention; 10 
FIGURE 2 is a mail piece having a pre-computed 
digital token printed thereon and helpful in under- 
standing the present invention; 
FIGURE 3 is a diagrammatic representation of a 
secure portable storage device suitable for use is 
with the advanced postage payment system 
shown in FIGURE 1; 

FIGURE 4 is a flow chart of the operation of the 
advanced postage payment system shown in 
FIGURE 1; 20 
FIGURE 5 is a block diagram of a system for gen- 
erating and loading pre-computed digital tokens 
into the secure portable storage device shown in . 
FIGURE 3; 

FIGURE 6 is a flow chart of the operation of the 25 
system for generating and loading pre-computed 
digital tokens shown in FIGURE 5; and, 
FIGURES 7, 8 and 9 are memory requirement ta- 
bles for various digital token data arrangements 
suitable for use in the secure portable storage de- 30 
vice shown in FIGURE 3. 

A system is provided for evidencing postal pay- 
ment utilizing digital tokens where token computation 
is to be performed off-line. That is, the system pre- 
computes all the tokens that may be required within 35 
a certain pre-specified period of time and stores them 
in storage media such as a smart card or CD-ROM, 
or read only NVM or any other suitable device. The 
storage media may be protected against tampering. In 
this case, the postage evidencing device that per- 40 
forms printing of the evidence of postage need not 
have stored therein or have access to any secret 
keys, with the exception, if desired, of session keys 
needed for accessing information from protected tok- 
ens storage. Session keys, which are not described 45 
herein, are used for only one particular communica- 
tion session. Such keys are described in Applied 
Cryptography by Bruce Schneier, published by John 
Wiley and Sons, Inc., 1994. In the system, the post- 
age evidencing device has to insure that the appropri- so 
ate amount of postage value is subtracted from a pre- 
paid postage register every time a pair of tokens is ex- 
tracted from the memory (or protected storage area) 
where the pre-computed digital tokens are stored. 
The key management in this system is thus greatly 55 
simplified. Moreover, the overall security of the sys- 
tem as measured by the postal exposure (irrecover- 
able loss of revenue by a post due to unauthorized or 



fraudulent use of the system) is greatly reduced. 

In the case of pre-computed tokens, which more 
generically are a plurality of dispensable discrete 
items of encrypted data, stored in the storage media, 
the postal exposure is limited to the total amount as- 
sociated with all the tokens stored. Thus, if the stor- 
age device stores 2,000 pairs of tokens for the first 
class 1 oz mail having a $0.29 value, the total expos- 
ure to the post would be limited to $580 (2,000 X 
$0.29). The alternative arrangement when the post- 
age evidencing device performs calculation of tokens 
in real time may require a master secret key that is 
used to generate and update other keys involved. A 
compromise of such master key could theoretically, 
absent other protection, expose the post to a potential 
problem in revenue protection. 

Since the number of all possible combinations of 
input parameters to the digital token transformation 
(encryption algorithm) is quite large, an unjustifiable 
and uneconomical I y large tokens storage would be re- 
quired for all possible combinations. The present in- 
vention reduces the storage requirement. The system 
limits the possible combinations of parameters, for 
example by not allowing certain postage denomina- 
tions and reducing the number of tokens that can be 
retrieved on a given date. Alternatively, the system 
can exclude date data from the digital token transfor- 
mation, but separately encrypt the date with a sepa- 
rate resident key on the portable storage medium that 
does not have to change. However, this will make the 
key management process more complicated. Thus, 
the system described below utilizes a reduction in the 
number of parameter combinations while providing 
great flexibility to the mailer and greater protection to 
the Postal Service: 

Reference is now made to FIGURE 1. An ad- 
vanced postage payment system 102 employs pre- 
computed digital tokens stored on a secure portable 
storage medium or device 104. The secure portable 
storage device 104 may be a portable device having 
a microprocessor and non-volatile memory along 
with various peripheral components. Such portable 
devices are often termed "smart cards". The portable 
medium is a housing which is secure in the sense that 
the information stored in the card is protected against 
unauthorized access. The levels of security vary with 
design and user requirements. The security may in- 
volve leaving physical indications of attempts to gain 
physical access such as by delamination of the card 
and/or shielding for physical and electromagnetic se- 
curity. Electronic security may be provided by era- 
sure of all or some of the digital tokens stored in the 
secure portable storage device if attempted electrical 
penetrations or physical attack is detected and/or al- 
tering the digital tokens in a manner to later flag (with 
or without decryption) of the attempted electronic 
penetration or physical attack. This portable secure 
device or medium 104 is described in greater detail in 
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connection with FIGURE 3. 

The advanced postage payment system 102 in- 
cludes a secure portable storage device reader 106 
adapted to receive the device 1 04 and read data from 
the device. A controller 108 is operattvely coupled be- 
tween the reader 106 and a printer 110. In response 
to data entry to the controller, such as from a key- 
board 111 the secure portable storage device reader 
106 retrieves information from the secure portable 
storage device 104, such as digital tokens to be print- 
ed, and passes the data to the printer 1 1 0 to be printed 
on a mail piece 112 as is shown in FIGURE 2. 

Reference is now made to FIGURE 2. The infor- 
mation printed on the envelope 112 includes the infor- 
mation obtained by the controller 1 08 from the secure 
portable storage device 104 and sent to the printer 
110. A postage amount 202, here $0.52, is printed 
along, if desired, with a graphic indicia 204. The indi- 
cia graphics may be associated with a particular ad- 
vanced postage payment system manufacturer. The 
particular indicia shown is an eagle design. The indi- 
cia graphics may also include the town origin circle 
204a, the graphical information around the postage 
amount 204b and any other graphic information de- 
sired to be imprinted on the mail piece. The indicia 
204 may be either stored in the controller 1 08 or, if de- 
sired, on the secure portable storage device 104. 
Since the graphical portion of the indicia 204 does not 
include security information, it can be stored either in 
the controller 108 or the printer 110 (if it has a memory 
capability) or the secure portable storage device 1 04, 
depending upon the system design. 

An originating Postal Office code 206 for the orig- 
inating post office is imprinted. This Originating Post- 
al Office Code is also stored on the secure portable 
storage device 104 and is utilized and corresponds to 
the graphical information printed at 204a. It should be 
recognized that although it is highly desirable from a 
security point of view to include an originating postal 
office code 206 on the secure portable storage device 
104, if this level of security is not needed, this infor- 
mation may be stored in the controller 1 08 or the prin- 
ter 110. Nonetheless, whether or not obtained from 
the card for imprinting, this information may be en- 
crypted into the printed information on the mail piece 
or into the digital tokens. 

Also printed on the mail piece 112 is the Vendor 
Identification Code 208. This information may be the 
leading digit, of the Secure Portable Storage Device 
Identification 210. The Vendor Identification and Se- 
cure Portable Storage Device Identification are stor- 
ed within the portable device 104. The Date of Sub- 
mission 212 is printed and must correspond to the 
particular digital tokens 214 (Postal Digital Token) and 
216 (Vendor Digital Token) which authenticate the 
Postage Amount 202 and other encrypted information 
printed on the mail piece. Because of the relationship 
of the printed information and the encrypted digital 
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tokens the Postage Amount 202 imprinted on the mail 
piece can be authenticated at a later date by a postal 
service and also by the manufacturer (vendor). The 
use of postal digital tokens 214 and vendor digital tok- 
5 ens 216 are described in the above identified US pa- 
tent application. The piece count which constitutes a 
digital token serial number, is shown at 219. The dig- 
ital token serial number 219 is included in the data in- 
put to the digital token transformation used to gener- 

10 ate the digital tokens 214 and 216. A check digit or 
other error control code is shown at 217. 

Reference is now made to FIGURE 3. The secure 
portable storage device 104 includes a central proc- 
essing unit 302 containing a microprocessor and all 

15 necessary peripheral devices such as random access 
memory (RAM) and read only memory (ROM). The 
device 104 is a secure portable storage device which 
precludes writing into the device after the device has 
been put in service. The secure portable storage de- 

20 vice can be implemented via well known technologies 
such as smart cards, personal computer microcard in- 
dustry association (PCMCIA) cards or other technol- 
ogy. The communication between the advanced post- 
age payment system and the secure portable storage 

25 device 1 04 does not have to be secure. This provides 
additional cost savings. The number of possible digi- 
tal tokens stored in the secure portable storage de- 
vice 104 is limited only by the physical limitations of 
available storage technology. 

30 The central processing unit 302 is connected to 

a non-volatile programmable memory shown gener- 
ally at 304 via a bi-directional address and data bus 
306. Additionally, the central processing unit 302 is 
connected to an input/output device (I/O) 308 through 
- 35 : an additional bi-directional address and data bus 31 0. 
The I/O device 308 is coupled via another bidirection- 
al address and data bus 312 to a secure portable stor- 
age device connector 314. The connector 314 is 
adapted to cooperate in operative relationship with 

40 the connectors, not shown, associated with the se- 
cure portable storage device reader 1 06. 

The non-volatile memory 304 is capable of hav- 
ing data read from it and written into it by the central 
processing unit 302. The central processing unit 302, 

45 however, will not allow any data external from the 
card 104 to be transferred via the connector 314, the 
I/O device 308 and the central processing unit 302 to 
write into any secure postage storage areas of the 
non-volatile memory 304. In a preferred embodiment, 

so the non-volatile memory 304 may not have any data 
whatsoever written into it from an external source 
since this is not necessary to operation of the present 
invention and enhances the security of the system. 
The non-volatile memory includes a number of 

55 memory locations containing data necessary to ac- 
count for and store pre-computed digital tokens to be 
printed by the advanced postage payment system 
102. The secure portable storage device identifica- 
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tion is stored in the non-volatile memory 304 at 316. 
In the particular configuration shown, the lead digit of 
this identification, w 0", is the Vendor Identification 
208 printed on the mail piece 112. The remaining dig- 
its of the secure portable storage device identif ica- 5 
tion 316 are printed as on the mail piece 112 as the 
Secure Portable Storage Device identification 210. 
The date of the secure portable storage device 104 is- 
sue or activation, (as desired), is located at 31 8. A ex- 
piration date for the secure portable storage device 10 
104 is stored at 320. This expiration date is the date 
beyond which the device 104 is no longer operable to 
issue digital tokens for printing by the system 102. 
The non-volatile memory 304 also contains the Orig- 
inating Postal Office Code 322 which defines a pre- 15 
determined geographical location in which a mail 
piece utilizing a pre-computed digital token stored on 
the secure portable storage device 104 may be de- 
posited into the mail stream. 

A plurality of digital tokens (both postal and ven- 20 
dor tokens) are stored for each of a series of days. 
From day 1 through 90 shown, respectively, as 324, 
326 and 328. On each day, day 1 through day 90, (in- 
cluding those days, day 3 through day 89, not shown) 
a predetermined number of pre-computed digital tok- 25 
ens are stored. The digital tokens are stored and or- 
ganized by a piece count number or digital token ser- 
ial number 330 for each digital token. Since thirty dig- 
ital tokens are stored for day 1 , thirty piece counts are 
provided; however, it should be noted that these can 30 
be a single number which is incremented for each of 
the tokens. This is because from the data storage 
point of view, various standard techniques may be 
employed to considerably compress the data while 
not losing information. Associated with the piece 35 
count 330 is a pair of digital tokens 332 having a par- 
ticular value here shown at 334 as $0.29. The next 
digital token pair is identified by an incremented piece 
count shown at 336. These digital tokens 338 have a 
value of $0.52 shown at 340. A continued series of 40 
digital tokens may be stored for the particular day of 
different values, as desired by the purchaser of the 
secure portable storage device 104. The number of 
digital tokens stored for any particular day limit both 
the number of tokens that may be issued by the de- 45 
vice on that day and the total value of postage which 
may be issued on that day. 

Reference is now made to day 2, shown at 326. 
The specific digital token series 342 has been shown 
as printed on the mail piece 112. This represents a 50 
postage value of $0.52 shown at 343 and a piece 
count of 0000031 shown at 344. Each time a digital 
token is retrieved from the non-volatile memory 304 
by the central processing unit 302, the prepaid post- 
age value register 346 is decremented to reflect the 55 
issuance of the digital token by the secure portable 
storage device 104. Each time a digital token is re- 
trieved, that is, dispensed, from the nonvolatile mem- 



ory 304 the memory location is disabled, for example, 
by erasing the data at the memory location from 
where the digital token was retrieved. This precludes 
dispensing a digital token more than once. The proc- 
ess continues until the prepaid postage value stored 
in register 346 reaches zero or below the value for the 
minimum postage digital token still available for re- 
trieval. When this occurs, no further digital tokens are 
retrievable from the secure portable storage device 
104, even though additional digital tokens, not used, 
may remain stored in the non-volatile memory 304. 
The printed postage value register 346 can, of course, 
be arranged in other ways such as incrementing each 
time a digital token is retrieved until the initially stored 
prepayment value is reached. 

In the above manner, a plurality of digital tokens 
having a predetermined value, that is, the sum total 
value of all of the digital tokens stored in the non-vol- 
atile memory for each of the days for which the secure 
portable storage device 104 is usable. This predeter- 
mined value may be equal to or less than the prepaid 
value stored in the prepaid postage value register 
346. For example, if the prepaid postage value stored 
(or remaining after use) in register 346 was $0.81 , all 
or part of this value could be used on day 1 or day 2 
to retrieve a digital token having a specific value of 
$0.29 and another digital token having a specific val- 
ue of $0.52. 

To provide a greater flexibility, the stored digital 
tokens will normally exceed the value of the prepaid 
postage value stored in register 346. This is to enable 
a user to issue digital tokens that correspond to the 
rate table and rate table breaks of the particular postal 
service. Thus, as is presently the case in the United 
States, the first ounce for a mail piece is $0.29 while- 
the mail pieces over 1 ounce and under 2 ounces are 
$0.52. Therefore, these represent postage values for 
digital tokens that a user would find highly desirable. 
Fewer digital tokens may be stored for a given day for 

3 ounce mail pieces, $0.75, since a mailer's usage 
pattern may involve more mail pieces under the 1 
ounce or 2 ounce mail piece weight breaks. Thus, a 
given mailer taking into account the mailer's needs, 
both in terms of the daily postage usage and types of 
mail being posted, as well as the days in the mailing 
cycle for the mailer, can specify and tailor the digital 
tokens stored on the portable storage device 104 to 
meet the particular unique needs of the mailer. Thus, 
if the mailer has a particular high mail volume on day 

4 of the month, the mailer may arrange for the digital 
tokens on May 4, 1 994 for card 1 04 to have a high vol- 
ume of postage of particular denominations. This abil- 
ity to selectively store digital tokens of a different de- 
nomination usable on particular days in a manner 
which correlates to the mailer's past experience, 
helps the mailer to avoid misappropriation of postal 
funds for other than authorized applications, since 
the anticipated postage needed is available on spe- 
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cif ied days. If the available digital token postage does 
not correspond to the required usage, an investiga- 
tion can be made by the mailer as to the reason for 
non correspondence. 

Reference is now made to FIGURE 4. A user en- 5 
ters a current date at 402. The user then enters the 
desired postage rate denomination at 404. Alterna- 
tively, the user may enter the rate classification or 
other rating parameters sufficiently for appropriate 
postage determination. If the date and rating informs- 1 o 
tion is not appropriate at 406, the process is stopped 
and an error message is displayed at 408. On the 
other hand, if the date and rating information is appro- 
priate, the process continues and a determination is 
made at 410 if the secure removable storage device 15 
has sufficient funds in the prepaid postage value reg- 
ister 346. If sufficient funds do not exist, the process 
is stopped and an error message is displayed at 412. 
If sufficient funds are available, the process contin- 
ues and a determination is made at 414 if the secure 20 
portable storage device has the required postage de- 
nominations requested by the user or determined at 
404. If the required denominations are not available, 
the process is stopped and an error message is dis- 
played at 41 6. If the required denominations are avail- 25 
able, the required postage is subtracted at 418 from 
the remaining amount in the prepaid postage value 
register 346. Depending upon the system design, up- 
dating of other registers that may be within the pre- 
paid postage value register 346 can be implemented. 30 
These may include an ascending and a descending 
register. In such case the ascending and descending 
registers are used as a form of double balance lockout 
system and error checking system as is known in ex- 
isting postage meter systems: 35 

The process continues with the retrieval of the 
postal and vendor digital tokens and piece count data 
which is sent to a postal revenue block formatting rou- 
tine, not shown at 420. The postal revenue block for- 
matting routine is designed to format the data for ap- 40 
propriate printing on a mailpiece in the form shown in 
FIGURE 2. Any suitable formatting routine may be 
used with the present invention. An error correction 
and error detection code is calculated and is sent to 
the postal revenue formatting routine at 422 to be for- 45 
matted with other data to be printed. The postal rev- 
enue block (PRB) is then printed at 424. It should be 
noted that the postal revenue block formatting routine 
desirably resides outside the secure portable storage 
device 1 04. It may be part of the software associated so 
with advanced postage payment system controller 
1 08 or printer 110. The same applies to the calculation 
of the error correction and error detection code. 

It should be recognized from the above descrip- 
tion that the secure portable storage device includes 55 
a prepaid postage value register 346 which records 
the total available postage. 

Before a pair of digital tokens corresponding to a 
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postage request is retrieved two tests must be per- 
formed. First, the value of the postage request is com- 
pared to the value available in the prepaid postage 
value register. Second, the postage value and date of 
submission are compared to the value and date of the 
available tokens. 

If sufficient funds are available, and if a pair of 
tokens for the requested value and date is available, 
then the piece count and digital tokens are retrieved 
by the microprocessor on the secure portable storage 
device. 

The area of nonvolatile memory containing the 
retrieved data is disabled, for example by erasing the 
data. The prepaid value register is decreased by the 
value of the denomination of postage requested. After 
these operations are complete the data is provided to 
the communication port of the secure portable stor- 
age device. 

Reference is now made to FIGURE 5. The secure 
portable storage device 104 is adapted to be connect- 
ed to a secure portable storage device read/write unit 
502. The device 104 prior to being processed by unit 
502, except as explained below, has no data relating 
to the digital tokens stored in the non- volatile memory 
304 and the memory is clear in the locations where 
the tokens are to be stored. The unit 502 is connected 
by a bidirectional communications bus 504 to a Sys- 
tem Computer 506, which in turn is connected by a bi- 
directional communications bus 508 to a data entry 
terminal 510. The system computer 506 is connected 
to a secure co-processor 512 which generates in the 
present embodiment, both the vendor tokens and the 
postal tokens for storage via the computer system 506 
and the read/write unit 502 in the secure portable stor- 
age device 104. A secure communications link 514 is 
provided to a remote data center which may include 
both the postal data center and the vendor data center 
for key management purposes to periodically update 
the encryption key used to generate the postal digital 
tokens and the vendor encryption, key used to gen- 
erate the vendor digital tokens. Other key manage- 
ment arrangements of these secure co-processor key 
generations are possible. Various arrangements are 
disclosed in the above identified co-pending patent 
application as well as in US Patent Application of Hy- 
ung-Kun Kim, Robert A. Cordery and Leon A. Pintsov, 
Serial No. 081133,416, filed October 8, 1993 entitled 
ENCRYPTION KEY CONTROL SYSTEM FOR MAIL 
PROCESSING SYSTEM HAVING DATA CENTER 
VERIFICATION and assigned to Pitney Bowes Inc. 
(corresponding to European Patent Application 94 
115 899.1, the entire disclosure of which is hereby in- 
corporated by reference) and, US Patent Application 
of Leon A. Pintsov, Richard A. Connell, Ronald P. 
Sansone and Alfred C. Schmidt, Serial No. 
08/133,398, filed October 8, 1993 for POSTAL RAT- 
ING SYSTEM WITH VERIFIABLE INTEGRITY, and 
assigned to Pitney Bowes Inc. (corresponding to Eu- 
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ropean Patent Application 94 307 376.7, the entire 
disclosure of which is hereby incorporated by refer- 
ence ). 

As it can be seen from the above, the secure co- 
processor 512 computes postal and vendor digital 
tokens based on a secret key stored therein. The se- 
cure co-processor communicates tokens to a system 
computer 506 which, in turn, passes them for storage 
in the secure portable storage device 1 04. The secure 
co-processor 512 is housed in tamper resistant pro- 
tected housing 513. Key updates can be organized 
via a secure channel to a Data Center. The Data Cen- 
ter generates and updates keys for all secure portable 
storage device generation systems and all verifica- 
tion devices. 

It should be expressly noted that the described 
system can generate both standard and custom made 
secure portable storage devices with ease. For exam- 
ple, the standard selection can be $50.00 worth of 
postage which can be spent in a single denomination 
($0.32) for three months up to 20 letters a day, or 
$60.00 worth of postage which can be spent in two 
denominations ($0.32 and $0.57) for two months up 
to 1 0 tetters a day, etc. A custom selection can be 
$96.00 worth of postage which can be spent in a sin- 
gle denomination ($0.32) for three days up to 100 let- 
ters a day. In case of secure portable storage device 
malfunction, any postage left in the secure portable 
storage device can be credited to the customer and 
loaded into a new secure portable storage device. 
The process of doing so can be implemented by using 
smart cards of the type described in the text Contem- 
porary Cryptology, noted below. 

Reference is now made to FIGURE 6. The pre- 
-paid postal value, the value stored in register 346 on 
secure portable storage device 1 04, is entered at 602. 
The total number of days for which the secure port- 
able storage device is valid and the first valid day for 
the device is then entered at 604. Thereafter, the 
number of postage values, that is, the various post- 
age denominations, is entered at 606. For each day, 
each postal value of denomination is specified as well 
as the number of denominations and total number of 
mail pieces for that day at 608. The number of mail 
pieces corresponds to the secure portable storage 
device piece count arranged for the particular day. 
Thus, for example, for day 2 on device 104, the num- 
ber of mail pieces is thirty with the piece count rang- 
ing from a first piece count of 31 and a final piece 
count of 60. 

The total storage requirement is then computed 
at 610. If the computed total storage requirements is 
larger than the storage available in the secure port- 
able storage device non-volatile memory 304, the 
system loops back and requires a new configuration 
to be entered. If the storage requirements for the spe- 
cified configuration is not larger than the secure port- 
able storage device non-volatile memory 304, then at 
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614 the digital tokens are computed and stored in the 
secure portable storage device non-volatile memory 
and the prepaid postage value is stored in register 
346. Finally, the data stored in the secure portable 

5 storage device with pre-computed digital tokens and 
its accessibility is verified at 616 to insure an oper- 
able device has been created. 

As an exception to precluding writing to nonvola- 
tile memory 304 after the secured portable storage 

10 device has been put in service, jt should be expressly 
noted that the secure portable storage device 104 
may be of that group of devices that is capable of hav- 
ing areas of the non-volatile memory securely pro- 
tected from having data written therein which secure 

15 protection can be selectively enabled and disabled. 
Examples of such devices are described in Chapter 
12, entitled "The Smart card, Standardized Security 
Device Dedicated To Public Cryptology" of the text 
Contemporary Cryptology, The Science of Informa- 

20 tion Integrity, published IEEE Press and edited by 
Gustavus J. Simmons, Sandia National Laboratories, 
copyright 1992 by the Institute of Electrical and Elec- 
tronic Engineer Inc. With devices of this type, the se- 
cure portable storage device 104 may be reused to 

25 store additional digital tokens on the device. This re- 
duces the card cost by allowing the secure portable 
storage device to be reused. If desired, the number of 
write cycles to the non-volatile memory 304 can be 
limited by hardware incorporated on the device so 

30 that the card may be reusable, for example, 2, 3, 4 or 
any other selected number of times. 

Reference is now made to FIGURES 7-9. The 
amount of memory required for the secure portable 
storage devices for various digital token configura- 

35 .tions is shown in table form. The table shows the 
memory requirements for periodically loading a se- 
cure portable storage device with pre-computed tok- 
en values to thereafter be selectively retrieved for use 
with an advanced postage payments system. For a 

40 given advanced postage payment system, the vari- 
able information may be the postage value amount, 
the piece count, and the date. To assure that the 
memory space required is limited to the amount al- 
lowed by current "smart card" capabilities, certain re- 

45 strictions are placed on the variable information. 
Thus, the postage value amounts will only be avail- 
able in a limited number of denominations such as 
one, two, or three denomination, for example, $0.19, 
$0.29, and $0.52. Also, the digital tokens will be valid 

so for a limited period of time and limitations will be 
placed on how many indicias may be printed each day 
(or group of days). 

The postage evidencing device identification in 
the present described system is replaced by the se- 

55 cure portable storage device serial number and each 
serial number will be used for one card purchase only. 
This will necessitate using a wider range of serial 
numbers because of the larger number of secure port- 
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able storage devices. Additionally, using a non-con- 
secutive piece count could cause the piece count to 
run up very quickly. Since each card identification is 
used only once, this problem is resolved by initializing 
the piece count to 1 for every card. Alternatively, upon 
surrendering a card with a given identification, a new 
card may be issued with the same identification and 
higher piece counts. Various arrangements are pos- 
sible and are within the scope of the present inven- 
tion. 

With regard to the amount of memory required by 
the precomputed tokens, first suppose that there are 
B denominations available, the piece count ranges 
from 1 to C, and the postage can be used over a per- 
iod of D days. In this case, at initialization of the se- 
cure portable storage device memory it would not be 
known which combination of inputs will be used and 
all. are possible so the look-up table would have to 
cover all (B)(C)(D) combinations. For example, if B = 
2, C = 100, and D = 30, then the number of possible 
inputs to the digital token transformation is 6000. A 
digital token system as shown in connection with FIG- 
URES 1-6 requires 16 bits for each pair of tokens be- 
cause the present system employs two digital tokens 
each having two decimal digits, requiring four bits per 
digit when binary coded. 

Since each pair of tokens can be represented by 
16 bits, a look-up table, the above example, requires 
about 12K of memory. This is because the secure 
portable storage device memory can be organized so 
that very little additional storage is required for index- 
ing the denominations, piece counts, and dates asso- 
ciated with the token information. This size of storage 
may exceed current standard mass produced smart 
card memory capabilities, but can, of course, be im- 
plemented in a secure vault or cartridge type of ar- 
rangement where the memory may be of a much larg- 
er size. 

To reduce the number of combinations, so that 
the storage size does not exceed current standard 
mass produced smart card memory capabilities, such 
as 2 to 3 kilobyte memory storage smart cards, the 
daily postage use may be limited to N pieces per day 
and the piece counts to 1 to N on day 1, N+1 to 2N 
on day 2, etc. In the following, a unique denomination 
is assigned to each piece count. In this arrangement, 
piece counts are skipped if all N pieces are not used. 
Then if D = 30, and N = 10, the number of combina- 
tions is (D)(N) = 300 and the look-up table requires 
0.6K of memory. This is clearly attainable with current 
smart cards. Here the total number of pieces C is only 
used to regulate the total number of mail pieces gen- 
erated and can be eliminated because a prepaid post- 
age value register, which was previously noted and 
may be a descending funds or other type of register, 
is maintained. If N = C, that is, there are no restrictions 
on daily postage use, then the memory requirements 
may again exceed that of current mass produced 
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smart cards. The memory requirements (in kilobytes) 
for the number of different denominations ranging 
from 1 to 3, a number of days ranging from 10 to 90 
(in increments of 2), and the maximum number of mail 

5 pieces per day ranging from 5 to 100 (in increments 
of 5) are shown in FIGURES 7-9. 

The memory requirement above can be general- 
ized as follows. A user will be allowed to purchase a 
secure portable storage device containing pre-com- 

10 puted tokens that have been tailored to suited needs. 
The tokens will be valid over a period of D days, and 
on the i th day, the postage use will be restricted to N| 
pieces (on day i, the available piece counts will range 
from N 1 +N 2 +N 3 +...+Nn+1 to N 1 +N 2 +N 3 +...+N l . ,+Nt). 

15 The mailer may also elect for different postage de- 
nominations (as many as B) but a unique denomina- 
tion is assigned to each distinct piece count. The total 
number of tokens that must be pre-computed to ac- 
count for all possibilities is: 

20 

D 

Em 

25 

i=1 

Additionally, the mailer will purchase an amount of 
postage value to cover the mailer's anticipated us- 

30 age. This will be stored in the prepaid postage value 
registers. At the end of D days, the remaining post- 
age, if any, will either be refunded or transferred to 
the next secure portable storage device. 

Typically, D will range from 30 to 60 days. Then, 

35 Hf there are about 2K of memory available for the look- 
up table to store digital tokens, the daily use profiles, 

(N!,N 2 ,N 3 N D ) that can be accommodated are 

those for which 

40 

D 

45 1 000. 

i=1 

For example, if D = 30, then a mailer can set up his 
so card to allow as many as 33 tokens each day on if the 
mailer anticipates a high use during a two day period, 
the mailer can set up the secure portable storage de- 
vice to allow 100 pieces on each of those two days 
and as many as 30 pieces on the other 28 days. In the 
55 latter case, it is important that the mailer be able to 
accurately predict the mailer's bulk needs on each of 
the two high usage days. Even if D is as high as 100, 
however, a secure portable storage device in a smart 



BNSDOCID: <EP 0686946A2 I > 



RN.9 nanfl f) 



17 



EP 0 686 946 A2 



18 



card form can still be set up to allow as many as 10 
pieces each day. This is not very restrictive, particu- 
larly for home or for small business use. 

FIGURE 7 displays the memory requirements in 
kilobytes for a single denomination card, that is, a 5 
card containing a single postage value providing the 
maximum number of mail pieces per day in the top 
row and the number of days for which the card is valid 
in the left most column. Thus, for example, a card 
which will have a maximum number of 35 mail pieces 10 
per day for a period of 40 days will require 2.8 kilo- 
bytes of non-volatile storage memory. In FIGURE 8, 
two different denominations of postage value are al- 
lowed for each piece count. The number of storage re- 
quirements in kilobytes is again shown for various 15 
maximum number of mail pieces per day for specified 
number of day. In this case, as an example, for a max- 
imum 50 mail pieces per day for a period of 90 days 
the card will require 18 kilobytes of non-volatile mem- 
ory. Finally, in FIGURE 9, a memory requirements ta- 20 
ble is shown for three different denominations of post- 
age values for various maximum number of mail 
pieces per day for a specified number of days. Here, 
for example, for a maximum number of 80 mail pieces 
per day for a period of 48 days the card would require 25 
23.04 kilobytes of non-volatile memory. 

While the present invention has been disclosed 
and described with reference to the disclosed em- 
bodiments thereof, it will be apparent, as noted 
above, that variations and modifications may be 30 
made therein. It is, thus, intended in the following 
claims to cover each variation and modification that 
falls within the true spirit and scope of the present in- 
vention. 

Claims 

1. A postage payment system, comprising: 

means (304) for storing a plurality of dis- 40 
crete items of encrypted data on a portable me- 
dium (104); each item having a specific value; 

means (304) for storing a prepayment val- 
ue on said portable medium (104); 
and, 45 

means for limiting said stored plurality of 
discrete items of encrypted data which are dis- 
pensable based on the prepayment value stored 
on said portable medium (104). 

50 

2. A system as defined in CLAIM 1 further compris- 
ing: 

means for dispensing selected ones of 
said stored plurality of discrete items of encrypt- 
ed data from said portable medium. 55 

3. A system as defined in CLAIM 2 wherein said dis- 
pensing means limits the selectable ones of said 



stored plurality of discrete items of encrypted 
data that are dispensable to a total value that 
does not exceed said stored prepayment value. 

4. A system as defined in CLAIM 2 wherein said dis- 
pensing means limits the dispensing of said plur- 
ality of discrete items of encrypted data to a pre- 
determined number or value of discrete items of 
encrypted data which can be dispensed during a 
predetermine time period. 

5. A system as defined in CLAIM 2 wherein said 
means for dispensing limits the dispensing of 
said plurality of discrete items of encrypted data 
to (a) a predetermined number of discrete items 
of encrypted data which can be dispensed during 
a predetermined time period and to (b) a prede- 
termined total value number of discrete items of 
encrypted data dispensed during a Predeter- 
mined time period. 

6. A system as claimed in any preceding claim fur- 
ther comprising: 

means for generating said plurality of dis- 
pensable discrete items of encrypted data. 

7. A system as defined in any preceding claim 
wherein said plurality of dispensable discrete 
items of encrypted data are a plurality of dispens- 
able digital tokens, said portable medium means 
for limiting includes a processing means (302), 
said means for storing prepayment value includes 
a nonvolatile memory means (346) connected to 
said processing means (302), and said means for 
storing discrete items of encrypted data includes 
nonvolatile memory means (304) connected to 
said processing means (302). 

8. A system as defined in CLAIM 7 wherein said 
processing means (302) controls access to said 
digital token nonvolatile memory means (304) to 
allow dispensing of selected ones of said plurality 
of digital tokens stored therein only after the spe- 
cific value of each selected digital token to be dis- 
pensed has been accounted for with respect to 
prepayment value. 

9. A system as defined in CLAIM 7 wherein access 
to said digital token nonvolatile memory means 
(304) is controlled to allow access to said digital 
tokens stored therein only after the value cf each 
selected digital token to be dispensed has been 
accounted for with respect to said stored prepay- 
ment value. 

10. A portable medium as defined in any preceding 
claim wherein each of said items of encrypted 
data is dispensable on a predetermined day. 
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11. A portable storage device, comprising: 

memory means (304) for storing a plurality 
of dispensable digital tokens, each of said plural- 
ity of digital tokens having a specif ic value; and, 

means (302) for accounting for digital tok- 5 
ens dispensed from said memory means (304). 

12. A portable device as defined in CLAIM 11 wherein 
each of said digital tokens is dispensable on a 
predetermined day. 10 

13. A portable device as in CLAIM 11 or 12 wherein 
each digital token has a specific value which rep- 
resents a postage payment amount, correspond- 
ing to a postage payment rate for a mail piece. 15 



14. A portable device as defined in CLAIM 11, 12 or 
1 3 wherein each of said plurality of digital tokens 
contain (a) identifying data for said portable de- 
vice and (b) a geographic locality code from 20 
which a mail piece imprinted with dispensed dig- 
ital token is to enter a mail carrier delivery proc- 
ess. 

1 5. A portable member for an advanced postage pay- 25 
ment system, comprising: 

housing means (104); 

a register means (346) within said housing 
(104) for storing a postage prepayment value; 

means (304) for storing a plurality of dis- 30 
crete items af encrypted data in said housing, 
each of said items of encrypted data adapted to 
be formatted for printing and each of said en- 
crypted items of data having a specific value; 
and, v 35 

means (302) within said housing (104) 
coupled to said means for storing and to said pre- 
payment register for enabling at least one select- 
ed item of encrypted data to be communicated 
outside of said housing if the value stored in said 40 
register means is at least equal to the specific 
value of said selected item of encrypted data. 
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